def extract()

in nightMARE/src/nightmare/malware/stealc/configuration.py [0:0]

• 18 lines of code
• 6 McCabe index (conditional complexity)

def extract(file: bytes) -> dict:
    """
    This function performs extraction of stealc using bytes as input

    :param file: The actual bytes of file being extracted
    :return: A dictionary of extracted fields with values
    """
    if not (PE := lief.parse(file)):
        raise RuntimeError("Failed to parse PE file")

    if not (rdata := utils.get_section_content(PE, ".rdata")):
        raise RuntimeError(".rdata section not found")

    candidate_list = utils.find_strings(rdata)

    if not (key := find_key(candidate_list)):
        raise RuntimeError("Failed to find key")

    strings = [
        crypto.decrypt_string(base64.b64decode(x.decode()), key)
        for x in filter(utils.is_base64, candidate_list)
    ]

    url = [s.decode("utf-8") for s in filter(utils.is_url, strings)][0]
    uri = find_uris(strings)[0]

    return {
        "c2": url + uri,
        "key": key.decode("utf-8"),
    }